Cybersecurity was a major topic at this week's Fortune Brainstorm Tech conference, and former CIA director John Brennan, former NSA chief Keith Alexander, former JSOC commander Stanley McChrystal and a number of private industry experts all talked about cybersecurity. Much of the conversation covered the alleged Russian hacks during the 2016 presidential election; Brennan, as well as several well-known reporters, discussed that issue and its impact. I was particularly interested in the conversation about how the US could respond to such cyber-attacks and the difficulty of formulating an appropriate response.

Former CIA Director John Brennan discussed the agency's role in cybersecurity but said there is "no consensus on [the] role of government in cyber," in terms of monitoring activity in digital environments. Brennan said each attack is unique, and the government must both attribute an attack to determine responsibility, and then contrive an appropriate response.

Inevitably, the conversation focused on the alleged Russian hacking of the 2016 election. Brennan said he had come across the hacking in the spring of last year, and tried to prevent the Russians' more destructive actions. He said the CIA has seen Russian involvement in European elections for many years, with propaganda and intelligence in both the digital and physical spaces. By summer, he said, "it became clear to me that this was a campaign authorized by Putin." This led to the forming of a "fusion cell" with representatives of the FBI, CIA, and NSA, so the agencies could share sensitive information. When CrowdStrike released clear evidence that the Democratic National Committee had been hacked it became a very public matter, but he said that the CIA did not engage with the domestic investigation, which would fall under the purview of the FBI.

Brennan said Russia's first objective was to undermine the credibility of the electoral process, then to damage Hillary Clinton and promote Donald Trump. He said that this wasn't a partisan issue, and that he didn't want to see it become one because he didn't want it to be seen as impacting the integrity of the election. Brennan said he personally briefed the President and the "Gang of 8" congressional leadership to underscore the severity of the attack.

"It surprised me that there was not more deep interest in it," Brennan said, adding that he "thought partisan considerations overshadowed national security concerns."

Brennan, who has served in both Democratic and Republican administrations, was very critical of President Trump's treatment of the intelligence community and of Russia, and said that Trump is a "selective consumer of intelligence." This attitude undermines the confidence of people within the intelligence community, as well as our ability to work with allies. Brennan said Russian President Vladimir Putin assaulted the democratic process, invaded Ukraine and annexed Crimea, and that when Trump said it was a great honor to meet Putin, "it made my blood boil."

Asked about the FBI investigation, Brennan said there are three areas to look at—collusion, obstruction of justice, and financial irregularities. He said he didn't know what the investigation would find, but credited the FBI for the great work it does on these kinds of investigations.

Asked if there were things the CIA could have done to Russian infrastructure, he said the US "has tremendous capabilities in the cyber realm; defensive and offensive." But Brennan said there are big questions about when you exercise such capabilities and what the response would be. "Do we want to do the things we are condemning?" he asked.

In general, Brennan said, the government tries to lead by example when possible. He discussed the difficulty of attribution, saying it's hard to know if an attack emanated from a country, and if so, whether the government knew about it, which is very different from the physical world. He emphasized to his Chinese counterparts that they have a responsibility, and noted that most big attacks take place from China, though not all with authorization.

I asked about encryption, and he said he supports the strongest possible encryption. But then he added that he doesn't want a mobile device with unbreakable encryption to "be a safe harbor that could lead to our destruction." Brennan said currently we have "two poles" on this issue, and he hopes dialog can achieve a compromise.

Former NSA Director: We Should, but Can't, Secure the Internet

Another panel focused on cybersecurity. It featured former NSA director Keith Alexander, now CEO of IronNet Cybersecurity (on the far right), along with Area 1 Security CEO Oren Falkowitz (center) and HackerOne CEO Mårten Mickos.

Alexander said he believes that the theft of intellectual property is the greatest threat in cybersecurity, and we must consider that the way we work, play, shop, and store IP is now all on the internet. "That's all at risk, and we've got to do something about it," he said. Alexander said the "bad guys" will always attack us and as a country we need to do a better job of defending ourselves.

"We can create the best cyber defense, and we ought to do that," Alexander said, and noted that when he recently met with President Trump, the president asked all the right questions and was well-prepared and focused on the issue. This, he said, bodes well for what we're trying to do in cyber defense.

Falkowitz, who worked for the NSA for many years, noted that "it is not the role of our government to protect everyone in the company over business issues," and said private companies need the help that cybersecurity companies offer. (Area 1 makes anti-phishing solutions.)

Mickos' company employs more than 100,000 hackers, who look for weaknesses in a company's security upon invitation. A year ago, Mickos ran a "Hack the Pentagon" program, in which 140,000 vetted hackers found 138 vulnerabilities in 8 weeks, the first within 13 minutes. He likened this to immunization, and said that looking for vulnerabilities is the "best way to secure software."

One big question that came up related to the government's retention of some bugs it has uncovered for use in its intelligence gathering capabilities. Alexander said that "90 percent should be and are shared" but that the country needs to go through an "equities process" and keep some bugs that are exceptionally difficult to find, which it can then use to go after terrorists, for example. But Alexander said, the government needs a rapid way to disclose the vulnerability if it leaks out, as well as an ability to track incidents if that happens. He said the NSA is making a real effort to balance these concerns. "If you can completely secure the internet, we should do it," he said, "but we can't."

Falkowitz said it's a mistake to focus on bugs, and that we should instead focus on time and action, noting that Microsoft released a patch for WannaCry long before the vulnerability was exploited.

I asked Alexander about where we cross the line between spying and "cyberwar," and he said it all comes down to the intent to inflict damage. He said it is understood that nations spy on one another – every nation does that—but the attacks on Sony and in the Ukraine, for instance, crossed the line. Nation-states that intend to do harm "will test us in cyberspace," he said.

Hacking, Fake News, and the Media

In a panel on "fake news," both NBC News Chief Foreign Affairs Correspondent Andrea Mitchell (center) and New York Times National Security Correspondent David Sanger (left) defended their stories about Russian efforts to use hacking to influence the US election. Mitchell, in particular, focused on how the election may have been influenced by bots and criminal organizations microtargeting false or misleading information into specific precincts in three states.

Sanger noted that the Times had published a series on Russian activities in other countries, and said that what Russia did in the Ukraine was a "testing ground" for all of the techniques used in last year's US election, as well as in other elections in Europe. But, he added that while you can often determine where a hack originated, it's difficult to identify who is supporting hackers, whether this is a government, criminals, teenagers, or "patriotic hackers," so there is a level of deniability.

Both fervently defended their stories and criticized the president's terming of stories he doesn't like as "fake news." Mitchell acknowledged that there has always been tension between the president and the media, but said the current tension is different and incredibly dangerous. Univision and Televisa Chief Content Officer Isaac Lee (right) said that "this is starting to look like a Latin American third-world country." Still, Sanger said the biggest mistake the media could make would be to "become the resistance to the government," and that the press instead just needs to focus on producing quality, fact-based journalism.

Mitchell and Sanger talked about the difficulty of covering some stories, such as the illegally-hacked emails of Clinton campaign manager John Podesta. Mitchell said the emails had news value, and said they were covered from the standpoint of the political impact, but said "we have not figured out" what to do with this type of material. Sanger said he wrote stories based on the emails that also underscored the oddity of the news source. "We have a lot of thinking and self-reflection to do on this point," he said.

"Getting an Organization to Change is Hard"

Retired General Stanley McChrystal, former commander of US Forces in Afghanistan and developer of the counter-terrorism program, mostly discussed leadership, which will be the subject of an upcoming book he and his group are writing.

McChrystal noted that in the military as well as in business, the management structures that worked in the industrial age have "suddenly stopped being effective." He said things are happening so rapidly that traditional bureaucratic and mechanical systems struggle. "Technology is never the problem, but getting an organization to change is hard," McChrystal said, noting that a culture within an organization reflects what has worked in the past.

On foreign policy, it's all about allies, McChrystal said, adding that "'America First' sounds like 'America Only' to the rest of the world." After the second world war, he said the US accounted for 46 percent of the world's GDP, but this isn't the case anymore. Asked about the President, he urged the audience to personally take a look at him, and imagine standing in his shoes. "Be empathetic," he said, "make your own decision."

One issue McChrystal highlighted is how most Americans don't have much contact with the military. Only 30 percent of young Americans are even qualified to participate in the military, and he said that "every young American deserves the opportunity to do a year of national service." Conference chair Adam Lashinsky of Fortune asked whether there were any active-duty military in the audience; seeing none, he committed to making sure that changes next year.

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.